Re: DPAPI protection credentials used with smartcard logons

From: Amit Rahul [MS] (arahul_at_online.microsoft.com)
Date: 05/28/04 

Date: Thu, 27 May 2004 17:40:55 -0700

DPAPI actually uses a symmetric key derived from Master Key for
encryption/decryption. This Master Key gets refreshed at certain interval of
time (typically 3 months) though we do store the old encrypted master keys
as well for retrieving data encrypted with those. When User changes password
DPAPI refreshes in the sense that the master keys are re-encrypted with the
new credentials. If you don't change the password (smartcard only
environment) you will still get new master keys after those interval of
times. 

-- 
Thanks,
Amit Rahul [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Alon Bar-Lev" <alon@xor-t.com> wrote in message
news:OesDVi9QEHA.3300@TK2MSFTNGP09.phx.gbl...
> Hello,
>
> I want to add one more question...
> If that is the case, how often this derivation is changed?
> In the case of a password, every time the user changes his password, the
> DPAPI refreshes.
> Should we understand that in environment where only smartcards are being
> used, this secret is never changed?
>
> This question is referring also to Kerberos tickets decryption... As I
> understand it works the same.
>
> Best Regards,
> Alon Bar-Lev
>
> "John Banes [MS]" <jbanes@online.microsoft.com> wrote in message
> news:egYwKj2QEHA.3732@TK2MSFTNGP11.phx.gbl...
> > DPAPI doesn't special case the smartcard case. It encrypts user data
with
> a
> > derivation of the user password (the NTOWF) in the same way, regardless
of
> > whether the user logged on with a password or with a smartcard.
> >
> > When a user logs on with a smartcard, the NTOWF value is obtained from
the
> > user's domain controller as part of the Kerberos authentication, and
> stored
> > in the user's logon session. When a user logs on with a password, the
> NTOWF
> > is computed directly from the entered password.
> >
> > Regards,
> > John Banes
> > [Microsoft Security Developer]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Please do not send email directly to this alias. This alias is for
> newsgroup
> > purposes only.
> >
> > "Lars Olaussen" <Isolauss@hotmail.com> wrote in message
> > news:e6%236F0xQEHA.1392@TK2MSFTNGP09.phx.gbl...
> > > Cut from the Windows Data Protection document on MSDN:
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
> > >
> > > ----
> > > Keys and Passwords in DPAPI
> > > DPAPI is focused on providing data protection for users. Since it
> > > requires a password to provide protection, the logical step is for
DPAPI
> > > to use a user's logon password, which it does, in a way. DPAPI
actually
> > > uses the user's logon credential. In a typical system, in which the
user
> > > logs on with a password, the logon credential is simply a hash of the
> > > user's password. In a system in which the user logs on with a smart
> > > card, however, the credential would be different. To keep matters
> > > simple, we'll use the terms user password, logon password, or just
> > > password to refer to this credential.
> > > ---
> > >
> > > When using smartcards for logon, what credentials are used to provide
> > > the DPAPI protection? Would this be some sort of derived hash based on
> > > the Kerberos ticket?
> > >
> > >
> > > Regards,
> > > Lars Olaussen
> > > Isolauss@hotmail.com
> > >
> > >
> >
> >
>
>

Relevant Pages